Show vulnerabilities with patch / with exploit
25 June 2020

CryptoCore gang has stolen over $200M from cryptocurrency exchanges


CryptoCore gang has stolen over $200M from cryptocurrency exchanges

A mysterious hacker group is targeting online cryptocurrency exchanges by launching spear phishing attacks against employees and executives. The group, tracked as CryptoCore, Dangerous Password or Leery Turtle, is believed to have stolen more than $200 million fr om online cryptocurrency exchanges since 2018, according to a new report from the cyber-security firm ClearSky.

The group believed to be operating out of Eastern Europe region (Ukraine, Russia or Romania in particular) has been active since at least May 2018. In the first half of 2020 CryptoCore slowed down it activity, possibly due to the COVID-19 pandemic limitations, but did not stop altogether.

According to the researchers, while the CryptoCore group is not extremely technically advanced, it is swift and effective. The group mainly targets cryptocurrency exchanges in the United States, Japan, and the Middle East.

“The key goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate wallets or wallets belonging to the exchange’s employees. For this kind of operation, the group begins with an extensive reconnaissance phase against the company, its executives, officers and IT personnel,” the report said.

To achieve their goal, the hackers leverage spear phishing attacks, primarily targeting the executives’ personal email accounts.

“Infiltrating the personal email accounts is an optional phase; however, it’s a matter of hours to weeks until the spear-phishing email is sent to a corporate email account of an exchange’s executive,” according to the report.

Typically, phishing messages are disguised as emails from a high-ranking employee either from the target company or from another organization with ties to the targeted employee.

Once gaining an initial foothold on the system, the hackers attempt to gain access to the victim’s password manager account wh ere the keys of crypto-wallets and other valuable assets are stored. The attackers then disable multi-factor authentication, and start transferring funds out of the exchange’s “hot wallets.”

Back to the list

Latest Posts

Vulnerability summary for the week: July 10, 2020

Vulnerability summary for the week: July 10, 2020

Weekly vulnerability digest.
10 July 2020
Evilnum, FIN6, and Cobalt Group share the same malware provider

Evilnum, FIN6, and Cobalt Group share the same malware provider

The Evilnum group’s toolset and infrastructure have evolved and now include custom malware as well as tools bought from a MaaS provider called Golden Chickens.
10 July 2020
RCE-bug found in Zoom client for Windows

RCE-bug found in Zoom client for Windows

The flaw is only exploitable on systems running Windows 7 and older Windows versions.
10 July 2020